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included  in  the  back  of  this  report  beginning  on  page  29. 
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staff.  17 

Agency  Response:   Concur.  See  page  31. 

v 


SUMMARY   OF   RECOMMENDATIONS   (Continued) 

Page 
C.       Conduct  periodic  disaster   recovery 

exercises.  17 

Agency   Response:      Concur.      See  page  31. 

Recommendation  #6 

The  Computer  Center  improve  software 

development  policies  and   procedures.  21 

Agency   Response:      Concur.      See  page  32. 

Recommendation  #7 

The  university  adopt  policies  and   proce- 
dures so  that  all  mainframe  software 
application  development  work  is  coordi- 
nated with  the  Computer  Center.  22 

Agency  Response:      Concur.      See  page  32. 

Recommendation  #8 

The  Computer  Center  improve  software 

maintenance  policies  and   procedures.  23 

Agency   Response:      Concur.      See  page  33. 

Recommendation  #9 
The  university: 

A.  Document  computing   resource  demands 

in  more  detail.  28 

Agency   Response:      Concur.      See  page  33. 

B.  Conduct  more  detailed  capacity  plan- 
ning and  evaluate  which  demands  are 

cost  justifiable.  28 
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CHAPTER    I 

INTRODUCTION 

An  EDP  audit  of  University  of  Montana  data  processing  activ- 
ities was  performed  at  the  request  of  the  Legislative  Audit  Commit- 
tee.     This   report  summarizes  the  results  of  our  EDP  audit. 

OBJECTIVES   OF  AUDIT 

The  objectives  of  the  EDP  audit  were  to  evaluate  data  process- 
ing  controls   at   the   University   of  Montana    (UofM)    and   to   determine 
if  university  data   processing   activities  are  being  managed  efficiently 
and  effectively. 

During  our  audit  we  asked  university  officials  for  responses 
on  selected  audit  findings.  These  areas  related  to  report  issues 
and  recommendations  and  were  discussed  with  university  personnel 
during   the  audit. 

SCOPE  OF  AUDIT 

The  audit  focused  on  the  efficiency  and  effectiveness  of  UofM 
data  processing  activities  and  management  of  these  activities.  It 
did  not  include  a  review  of  the  financial  status  of  the  university. 
In  addition,  we  briefly  examined  university  word  processing  activ- 
ity during  the  audit.  The  audit  was  conducted  in  accordance  with 
generally  accepted  governmental   performance  auditing   standards. 

COMPLIANCE 

As  part  of  our  audit  we  reviewed  compliance  with  UofM  and 
Board  of  Regents  policies  related  to  data  processing  activities.  We 
noted  no  significant  areas  of  noncompliance.  During  the  audit  we 
identified  specific  areas  where  new  policies  or  revisions  of  current 
policy  are  necessary.  These  areas  are  discussed  in  related  report 
sections  or  in  management  memoranda.  For  items  we  did  not  test, 
nothing  came  to  our  attention  that  would  indicate  significant  non- 
compliance. 


MANAGEMENT   MEMORANDA 

Twelve  management  memoranda  were  issued  during  our  audit. 
Through  these  memoranda  we  communicated  to  university  manage- 
ment issues  which  were  not  significant  enough  to  be  included  in 
the  audit  report  but  were  such  that  UofM  officials  may  wish  to 
address  them. 

The  twelve  management  memorandum  issues   included: 

1.  Password  standards. 

2.  Gandalf  dataswitch  maintenance. 

3.  Placement  of  fire  detection  and  suppression   devices. 

4.  Security  over  data  entry  documents. 

5.  Datafile  security. 

6.  Project  control   for  system  software  modifications. 

7.  Timing  of  physical   plant  jobs. 

8.  Internal      auditor      involvement      in      software      application 
development. 

9.  Software  application  documentation. 

10.  Choice  of  controls  for  software  applications. 

11.  The  Computer  Center's  project  control   system. 

12.  Segregation  of  application  development  access. 

During  the  audit,  the  university's  controller  noted  an  interest 
in  finding  additional  ways  to  collect  past  due  accounts  receivable. 
We  offered  to  perform  an  experimental  match  between  the  univer- 
sity's past  due  accounts  receivable  file  and  the  central  payroll 
system.  As  a  result  of  the  match,  50  persons  owing  the  university 
a  total  of  nearly  $10,000  were  identified. 


CHAPTER   II 
BACKGROUND 

The  UofM  Computer  Center  was  formed  in  1972  to  consolidate 
academic  and  administrative  data  processing  facilities.  A  Digital 
Equipment  Corporation  DECSYSTEM-10  computer  was  acquired  to 
meet  the  computing  needs  of  the  campus. 

In  1977,  the  center  acquired  a  DECSYSTEM-2050  to  meet 
increased  user  needs.  This  system  was  expanded  several  times 
and  is  presently  classified  as  a  DECSYSTEM-2065.  In  1982  a 
DECSYSTEM-2020  computer  was  installed  and  in  1984  a  second 
DECSYSTEM-2020  was  purchased  from  Eastern  Montana  College.  A 
VAX  11/785  super  minicomputer  was  acquired  with  student  com- 
puter fees  during  1984.  In  addition,  the  Computer  Science  Depart- 
ment operates  a  VAX   11/750  super  minicomputer. 

COMPUTER  CENTER  ORGANIZATION  AND  STAFFING 

The  following  chart  depicts  the  organizational  structure  of  the 
Computer  Center. 

ORGANIZATION   OF   THE   UNIVERSITY   OF  MONTANA  COMPUTER  CENTER 
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The  Computer  Center  has  a  staff  of  33.6  FTE.  The  33.6  FTE 
consist  of  12.1  FTE  for  Computer  Center  Operations,  18  FTE  for 
Administrative  Information  Systems,  1.5  FTE  for  Telecommunica- 
tions, an  administrative  assistant  and  the  Computer  Center  direc- 
tor. 

The  Telecommunications  section  was  recently  created.  This 
section's  primary   responsibility   is  the  university   telephone  system. 

The  Administrative  Information  Systems  section  provides 
software  application  development,  programming,  production,  and 
data  entry  services. 

The  Computer  Center  Operations  section  consists  of  system 
software  specialists  and  various  operations  personnel  who  keep 
UofM's  major  computers  and  system  software  operational.  This 
section  also  provides  user  assistance  with  various  computing 
methods  and  techniques  and  software  applications  available  on  UofM 
computers. 

FUNDING  AND   EXPENDITURES 

Computer  Center  data  processing  activities  are  funded  from 
two  different  sources.  Part  of  the  university's  appropriation  is 
directly  allocated  to  an  administrative  computer  fund  which  is 
divided  among  campus  departments.  Department  computer  charges 
are  deducted  from  each  department's  allocation.  The  administrative 
computer  fund  money  is  earmarked  for  use  by  the  Computer  Center 
for  operations. 

Auxiliary  departments,  off-campus  accounts,  and  grant  and 
contract  work  are  the  only  sources  of  direct  reimbursement  the 
Computer  Center  receives  for  the  computer  services  it  provides. 
In  fiscal  year  1983-84  approximately  $40,000  of  $1.26  million  in 
computer  services  provided  were  directly   reimbursed. 

Computer  Center  expenditures  for  fiscal  year  1983-84  are 
shown   in  the  following   illustration. 


COMPUTER  CENTER  EXPENDITURES  -  UNAUDITED 
Fiscal  Year  1983-84 

Center    Administrative  Administrative 
Operations    Production      Development     Total 


Personal  Services 
Operating  Expenses 
Equipment  &  Buildings 
Total  Expenditures 


$357,780 

323,520 

62,905 

$744,205 


$121,510 
3,159 

$124,669 


$388,935 
6,511 

$395,446 


$  868,225 

333,190 

62,905 

$1,264,320 


Source:   Statewide  Budgeting  and  Accounting  System 

Illustration  2 

Another  source  of  funding  for  data  processing  activities  is  a 
student  computer  fee.  At  all  units  of  the  Montana  University 
System,  a  computer  fee  of  $1  per  quarter  per  credit  hour  (up  to  a 
maximum  of  twelve  credit  hours)  is  assessed  for  all  students. 
Board  of  Regents  policy  states  that  this  money  is  to  be  used  for 
purchase  or  lease  of  computer  hardware  and  software  for 
instructional  purposes.  It  may  not  be  used  for  recurring  person- 
nel services.  In  fiscal  year  1983-84,  $285,000  in  student  computer 
fees  were  collected.  The  student  computer  fee  money  for  fiscal 
years  1983-84  and  1984-85  is  being  used  to  purchase  the  VAX  11/785 
and  numerous  microcomputers  for  academic  departments. 


COMPUTER   CENTER    RESPONSIBILITIES 

The  Computer  Center's  major  responsibility  is  to  provide  the 
university  with  the  necessary  computing  resources  to  efficiently 
and  effectively  operate.  The  Computer  Center  has  evolved  from  a 
small,  basic  needs  operation  serving  limited  campus  users,  to  a 
general  purpose  service  facility  providing  computing  resources  for 
the  instructional,  research,  and  administrative  activities  of  the 
university  and  various  off-campus  users.  The  center  also  pro- 
vides development  and  production  services  to  campus  administrative 
offices,  consulting  services  to  students  and  faculty,  and  operational 
and    technical    support    services    to    the    entire    campus.       Production 


services  include  running  batch  data  processing  software  applica- 
tions for  users  and  reconciling  application  output.  Short  courses 
and  training  seminars  are  provided  by  Computer  Center  User 
Services  to  help  educate  users  on  the  various  features  available  on 
university  computers. 

COMPUTER  USERS  ADVISORY   COMMITTEE 

A  Computer  Users  Advisory  Committee  (comprised  of 
students,  faculty,  and  staff)  serves  in  an  advisory  role  to  the 
Computer  Center  director  and  university  administration.  This 
committee  provides  computer  users  input  for  campus  data 
processing  decisions.  The  committee  has  made  some  specific 
recommendations  related  to  campus  word  processing  and  the  use  of 
the  student  computer  fee. 

MAJOR  COMPUTER  EQUIPMENT 

UofM  has  five  major  computers.  The  following  illustration 
summarizes  the  university's  major  computers,  date  the  computer 
was  installed,   purchase  costs,   and  primary  users. 


MAJOR  COMPUTER  EQUIPMENT 
UNIVERSITY  OF  MONTANA 
Fiscal  Year  1984-85 


I2££ 


Description 


Purchase 
Costs 
Installation   Including 

Date      Upgrades   Primary  Users 


DECSYSTEM-2065A   Large,  mainframe 
computer  system 

DECSYSTEM-2020B  Medium,  mainframe 
computer  system 

DECSYSTEM-2020C  Medium,  mainframe 
computer  system 


1977 


1982 


1984 


1984 


$1,245,800  Administrative 
and  A.cademic 

$   73,000  Academic 
$   30,000  Academic 


VAX  11/785       Large,  super 

minicomputer  system 

VAX  11/750*      Mid-sized,  super       1982 
minicomputer  system 

*Located  at  the  Computer  Science  Department,  University  of  Montana. 


$   302,163  Upper  Division 
Academic 

$   147,565  Computer  Science 
Department 


Source:   Computer  Center,  University  of  Montana 
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MICROCOMPUTERS 

Microcomputer  use  at  the  university  has   increased   significantly 
in  the  last  five  years.      Five  years  ago  there  were  no  microcomputers 
on  campus.      Presently  there  are  88  microcomputers  on   campus  with 
another  28  on   order.      Of  the  88  microcomputers  on   campus,    80  are 
used   for  academic  purposes. 

Currently  UofM  has  no  microcomputer  policies  except  for  those 
pertaining  to  microcomputer  purchases.  Formal  microcomputer 
policies  have  not  been  developed  because  the  use  of  microcomputers 
on  campus  has  grown  tremendously  in  the  last  few  years  and  the 
university    officials    have    concentrated    on    other    issues.       Computer 


Center    officials     indicated     they     plan    on     developing     policies    and 
procedures. 

Formal  microcomputer  policies  and  procedures  would  make 
university  microcomputer  users  aware  of  university  positions  and 
policy  on  specific  issues  and  also  provide  general  guidelines  for 
operating  and  using  microcomputers.  The  university  should  con- 
sider the  following  when  developing   formal   microcomputer  policies. 

-  Ownership   rights  of  software  developed  by  university  faculty, 
students,   and  staff. 

-  Types    of   controls    to    consider    when    developing    custom    soft- 
ware. 

-  Acquisition  and  use  of  vendor  software. 

-  Storage  of  backup  software  and  data. 

-  Physical  security  of  microcomputer  hardware  and  software. 


CHAPTER   HI 

COMPUTER  CENTER   FACILITY 

The  UofM  operates  a  central  Computer  Center  which  serves  all 
campus  departments.  The  Computer  Center  provides  computing 
resources  for  instructional,  research,  and  administrative  activities 
at  the  university.  Processing  is  performed  on  a  DECSYSTEM-2065, 
two  DECSYSTEM-2020s,  and  a  VAX  11/785.  Computing  resources 
are  generally  available  24  hours  a  day,   seven  days  a  week. 

UofM  COMPUTER  CENTER  FACILITY 


Illustration  4 

During  our  audit  we  reviewed  specific  controls  which  pertain 
to  the  Computer  Center.  The  following  sections  discuss  our 
suggestions  for  improvements. 


MAINTENANCE   CONTRACTS 

Scheduled  maintenance  is  performed  weekly  on  the  DECSYSTEM- 
2065,    once    a    month    on    the    DECSYSTEM-2020B,    and    every    ninety 
days      on      the      VAX   11/785,      which      is      under      warranty      until 


February  1,  1985.  The  DECSYSTEM-2020C  is  not  covered  under 
any  written  maintenance  agreements.  The  Computer  Center  also 
has  no  formal  written  agreement  for  maintenance  on  the 
VAX  11/785  after  the  warranty  expires  on  February  1.  As  a 
result,  two  of  UofM's  major  computer  systems  are  not  covered  by  a 
written  maintenance  agreement. 

The  Computer  Center  has  a  24-hour  written  maintenance 
agreement  for  the  DECSYSTEM-2065,  DECSYSTEM-2020B,  and  for 
various  campus  computer  terminals  at  an  annual  cost  of  $113,928. 
The  Computer  Science  Department  has  a  separate  maintenance 
agreement  on  the  VAX   11/750  which  costs  $9,540  annually. 

Computer  Center  officials  are  aware  of  the  weakness  and  are 
currently  examining  a  maintenance  agreement  which  should  cover 
all  major  Computer  Center  hardware  for  about  $125,000  a  year.  We 
believe  the  university  should  conclude  a  formal  written  maintenance 
agreement  as  soon  as  possible  to  ensure  that  computer  hardware  is 
adequately  maintained. 

RECOMMENDATION   #1 

WE  RECOMMEND  UofM  CONCLUDE  A  FORMAL  WRITTEN 
MAINTENANCE  AGREEMENT  COVERING  ALL  MAJOR 
COMPUTER   HARDWARE. 


POWER   PROTECTION   SYSTEM 

Computer  hardware  failure  may  be  caused  by  increases  or 
decreases  in  the  specified  voltage  of  an  external  power  supply. 
Some  type  of  power  protection  is  necessary  so  that  computer 
operations  are  not  disrupted.  At  this  time,  the  Computer  Center 
has  no  such   power  protection. 

During  our  review  of  the  Computer  Center's  operation  logs 
for  a  three-month  period  (September  through  November  1984),  we 
noted  that  the  DEC-2065  was  inoperable  (down)  seven  times,  the 
DEC-2020B  was  down  six  times,  and  the  DEC-2020C  was  down  four 
times  due  to  fluctuations  in  power.  These  disruptions  in  operation 
caused     lost    time     to    Computer    Center    personnel    and    to    specific 
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users.      For  example,    in  October  1984  a  problem  with  the  DECSYSTEM- 
2065    resulted    in    the    loss   of   hundreds   of   student    records.      As   of 
December     1984,     the    Admissions    Office    had    expended    more    than 
65  hours    to    restore    the    student    records    lost    during    the    incident 
and  had  not  completed   restoration  of  all  the  lost  records. 

We   believe   the   university   should   purchase  a   power   protection 
system  for  the  Computer  Center.      The  university  has  three  options: 

1.  Purchase  a  power  distribution  system  which  will  even  out 
minor  power  fluctuations  and  protect  the  hardware  from 
power  surges.  The  cost  for  such  a  system  would  be 
about  $23,000  according  to  one  vendor. 

2.  Purchase  a  power  distribution  system  and  a  generator. 
This  system  protects  the  computers  from  power  surges 
and  evens  out  minor  power  fluctuations.  In  addition, 
minor  power  fluctuations  will  not  cause  a  disruption. 
This  combination  would  be  substantially  more  expensive 
than  the  power  distribution  system.  A  similar  system 
now  used  at  Montana  State  University  would  cost  $60,000 
to  replace. 

3.  Purchase  an  uninterruptable  power  supply  (UIP).  A  UIP 
does  all  of  the  above  plus  it  allows  a  controlled  shutdown 
of  the  system  in  the  event  of  a  power  outage.  This  aids 
in  the  recovery  of  software  applications  which  were 
running  at  the  time  of  the  disruption.  A  UIP  system 
similar  to  the  state  Department  of  Administration's  would 
cost  approximately   $100,000. 


RECOMMENDATION  #2 

WE  RECOMMEND  UofM  ANALYZE  THEIR  NEEDS  AND  PUR- 
CHASE A  POWER  PROTECTION  SYSTEM  FOR  THE  COMPUTER 
CENTER. 


ADEQUACY  OF  FACILITY  SPACE 

The  location,  layout,  and  physical  construction  of  the  data 
processing  department  can  affect  its  processing  capabilities.  The 
UofM  Computer  Center  is  located  in  the  basement  of  a  campus 
academic  building  on  the  same  floor  as  a  classroom  and  a  campus 
terminal   room. 
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By  being  located  on  the  same  floor  as  a  classroom  as  well  as  a 
public  terminal  room,  traffic  is  heavy  around  the  Computer  Center. 
Unnecessary  traffic  increases  the  possibilities  of  loss  of  data  from 
human  errors  and  abuses. 

Space  is  also  a  problem  for  the  Computer  Center.  The  cur- 
rent computer  room  is  crowded.  As  a  result,  the  computer  opera- 
tors and  some  equipment  normally  in  the  computer  room  are  located 
in  an  adjacent  office.  The  following  picture  shows  current 
computer  room  conditions. 

UofM  COMPUTER  ROOM 


Illustration  5 


Most  available  space  is  being  used  for  offices  for  personnel  so 
paper  supplies  are  stored  in  the  hallways.  This  poses  a  potential 
fire  hazard  and  it  increases  the  possibility  of  theft  of  paper. 
Paper  storage  is  shown  in  the  following  picture. 
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COMPUTER  CENTER  PAPER  SUPPLY  STORACE 


Illustration  6 

Office  space  is  also  insufficient.  The  Computer  Operations 
manager  is  currently  housed  in  an  office  whose  only  access  is 
through  the  computer  room.  This  arrangement  causes  undue 
traffic  through  the  computer  room.  The  halon  fire  extinguishers 
located  in  the  computer  room  also  pose  a  safety  hazard.  The  halon 
devices  will  extract  all  the  oxygen  from  the  computer  room  in  the 
event  of  a  fire  and  it  is  unlikely  that  the  Operations  Manager  will 
receive  adeouate  advance  warning  to  be  able  to  evacuate  before 
the  halon  devices  are  set  off. 
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OPERATIONS  MANAGER'S   OFFICE   INSIDE   COMPUTER   ROOM* 


Illustration  7 
*The  door  marked  LIBRARY   is   the   Operations  manager's   office. 

We  believe  the  university  should  consider  placing  its  computer 
facility  in  a  new  or  existing  building  which  would  allow  additional 
space.  The  type  of  building  makes  little  difference.  For  example, 
Washington  State  University  placed  its  Computer  Center  under  the 
stands  on  one  side  of  its  football   stadium. 

RECOMMENDATION   #3 

WE    RECOMMEND    UofM    EXAMINE    ALTERNATIVE    LOCATIONS 

FOR  THE   COMPUTER   FACILITY. 
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DISASTER   RECOVERY 

With  any  computerized  operation,  backup  and  disaster  recov- 
ery planning  are  important  activities.  UofM  would  experience 
problems  operating  without  its  computer  systems.  Adequate  backup 
and  recovery  planning  minimizes  the  inconvenience  in  the  event  of 
a  disaster  at  the  computer  facility.  We  believe  some  disaster 
recovery  policy  decisions  and  improvements  to  the  disaster  recov- 
ery  planning   would  be  beneficial. 

The  occurrence  of  a  problem  which  would  require  a  disaster 
recovery  effort  may  appear  remote  but  it  could  occur  at  any  time. 
During  our  review,  the  center  experienced  a  power  problem  which 
caused  a  total  system  shutdown.  Luckily,  the  damage  was  minor 
but  it  could   have  disabled   UofM's  Computer  Center. 

Disaster   Recovery   Policy   Issues 

UofM  and  Eastern  Montana  College  (EMC)  have  an  informal 
mutual  disaster  recovery  backup  agreement.  This  agreement  is  the 
primary  short-term  processing  alternative  for  both  universities. 
We  did  not  find  any  written  agreement  on  some  issues  which  we 
believe  to  be  important,    including: 

1  .  How  long  should  the  host  unit  count  on  providing  back- 
up service? 

2.  What  types  of  resources  are  necessary  to  process  the 
other  unit's  critical  applications? 

3.  Are  the  operating  systems  and  hardware  being  kept 
concurrent  and,  if  not,  what  steps  are  necessary  to 
compensate? 

We  suggest  UofM  management  establish  a  memorandum  of 
understanding   with   EMC. 

RECOMMENDATION    #*4 

WE     RECOMMEND     UofM     FORMALIZE      ITS     MUTUAL     BACKUP 

ACREEMENT   WITH    EMC. 
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Disaster   Recovery   Plan 

During  our  review,  we  found  that  the  Computer  Center  has 
not  formalized  their  disaster  recovery  plan.  At  this  time  only  a 
"rough  draft"   exists  which  was  developed  as  an  outline  in  May   1983. 

The  center's  present  plan  is  a  good  base  which  could  be 
expanded  upon.      The  plan  could   include,    in  detail,   such  areas  as: 


1. 

2. 
3. 


5. 
6. 


Data: 

Hardware: 
Software: 


4.        Personnel 


Supplies 


Listing     all    off-premises    master     files  -  their 
date,    location,   and  procedures  for  updating. 

Giving  a   listing  of  current  inventory. 

Giving     location     and     arrangements     for     off- 
premises  backup. 

Listing   names  and   phone  numbers  of  Computer 
Center   management,    data    processing    person- 
nel,  and  current  vendor   representatives. 

Listing     special     forms     and     supplies     stored 
off-premises. 


Documentation:  Listing  the  location  of  backup  tapes  of 
source  code,  application  run  manuals,  and 
operator  manuals. 


7.        Facilities 


Describing    space    and    support    services    such 
as  telephone  lines. 


The  current  plan  addresses  most  of  these  areas  although  more 
detail  may  be  desirable.  Any  information  not  in  the  current  plan 
is  available  and  only  needs  to  be  consolidated   in  the  plan. 

The  plan  could  also  address  some  policy  issues  related  to 
disaster  recovery.     These  include: 

1.  What  activity  will  be  off  loaded  to  make  room  for  EMC  to 
process?  (It  is  improbable  that  either  university  has 
sufficient  capacity  to  process  its  own  activity  plus  the 
other  university's.) 

2.  Given  the  limited  amount  of  capacity  available  at  EMC, 
which  applications  will  be  transported  to  the  other  site? 
Some  flexibility  as  to  order  will  be  necessary  depending 
on  where  in   the  month  or  quarter  the  problem  occurs. 
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3.  What  will  become  of  non-priority  applications?  The  users 
should  be  informed  of  their  priority  status  so  they  can 
make  alternative  arrangements. 

4.  How  are  student  users  going   to  be  accommodated? 

The  disaster  recovery  plan  should  be  fully  documented  and 
cover  several  levels  of  disruption.  It  also  should  be  relayed  to  all 
center  personnel  to  ensure  their  specific  functions  in  the  event  of 
a  disaster  are  known.  During  our  audit  we  found  personnel  who 
did  not  know  any  details  of  their  disaster  duties  and  were  not 
familiar  with  the  center's  present  disaster  plan. 

The  current  draft  plan  calls  for  testing  to  assure  the  mini- 
mization of  problems  in  the  event  of  a  real  emergency.  We  did  not 
find  evidence  of  such  testing,  although  the  center  has  had  some 
situations  where  the  staff  had  to  start  taking  recovery  actions. 
During  the  audit,  we  asked  the  center  to  simulate  recovery  of  the 
payroll  system.  The  Computer  Center  experienced  few  problems 
during  the  recovery  exercise  and  handled  these  problems  appropri- 
ately. We  believe  the  exercise  was  useful  to  the  center  for  identi- 
fying potential  problem  areas.  We  suggest  the  center  conduct 
other  such  exercises,  when  feasible,  to  improve  their  prepared- 
ness. 

The  Computer  Center  should  formalize  its  disaster  recovery 
plan,  communicate  the  required  tasks  more  effectively  to  the  staff, 
and  conduct  periodic  disaster  recovery  exercises. 

RECOMMENDATION   #5 

WE   RECOMMEND   THE   COMPUTER   CENTER: 

A.  FORMALIZE   ITS   DISASTER   RECOVERY    PLAN. 

B.  COMMUNICATE   THE   REQUIRED   TASKS   TO  THE  STAFF. 

C.  CONDUCT    PERIODIC   DISASTER    RECOVERY    EXERCISES. 
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CHAPTER    IV 
SOFTWARE  APPLICATION    DEVELOPMENT   AND  MAINTENANCE 

The  Administrative  Information  System  section  of  the  Computer 
Center  is  responsible  for  the  design,  development,  installation, 
and  maintenance  of  software  applications.  These  software  applica- 
tions consist  of  instructions  which  tell  the  computer  how  to  process 
certain  tasks  such  as  calculating  net  pay  as  part  of  a  payroll 
software  application.  Development  of  an  application  involves 
defining  the  needs  of  the  user,  designing  the  application,  develop- 
ing it,  testing  it,  and  finally  installing  it.  Maintenance  includes 
providing  specific  support  to  the  users  of  the  application  such  as 
correcting  any  errors  which  may  prevent  the  application  from 
running  as  designed  or  making  modifications  which  would  improve 
the  application. 

The  illustrations  below  show  Administrative  Information  Sys- 
tem's software  application  development  and  maintenance  costs  for 
selected  applications  for  fiscal  years  1982-83,  1983-84,  and  the 
first  half  of  1984-85. 
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SOFTWARE  APPLICATION  DEVELOPMENT  COSTS 
FOR  SELECTED  APPLICATIONS 
Fiscal  Years  1982-83  through  1984-85 

Total 
Fiscal    Fiscal     Fiscal    Develop- 
Year      Year      Year  ,    ment   „ 
Software  Application      1982-83    1983-84    1984-85     Costs 

Electronic  Funds  Transfer  $  -0-  $21,606  $  9,018  $  30,624 
Physical  Plant  Inventory 

System  11,661  40,118  2,916  54,695 

Advanced  Registration  483  44,200  84,591  129,274 

Alumni/Foundation  62,468  76,492  -0-  138,960 

Accounts  Receivable  90,620  -0-  -0-  90,620 

Financial  Aids  85,100  41,132  1,350  127,582 

Cost  figures  for  the  first  six  months  of  fiscal  year  1984-85. 

2 
These  costs  only  include  the  cost  of  staff  time  and  do  not  include 

related  computer  costs.   Complete  information  is  not  available  for 

computer  costs  associated  with  these  projects. 

Source:   Computer  Center,  University  of  Montana 

Illustration  8 


MAINTENANCE  COSTS  FOR  SELECTED  SOFTWARE  APPLICATIONS1 


Fiscal  Years 

1982 

-83  through 

1984- 

-85 

Total 

Fiscal  Year 

Fiscal  Year 

F: 

Lscal  Year„ 
1984-85 

Maintenance 

Software  Application 

1982-83 

1983-84 

Costs 

Accounts  Receivable 

$5,198 

$  6,240 

$    945 

$12,383 

Claims 

3,059 

130 

135 

3,324 

Payroll 

6,072 

21,710 

6,453 

34,235 

Alumni/Foundation 

161 

17,628 

11,178 

28,967 

These  costs  only  include  the  cost  of  staff  time  and  do  not  include 
related  computer  costs.  Complete  information  is  not  available  for 
computer  costs  associated  with  the  maintenance  work. 

2 
Cost  figures  for  the  first  six  months  of  fiscal  year  1984-85. 

Source:   Computer  Center,  University  of  Montana 

Illustration  9 
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SOFTWARE  APPLICATION    DEVELOPMENT 

During  our  audit  of  Computer  Center  activities  we  reviewed 
the  center's  software  application  development  process  to  determine 
what  controls  are  in  place.  During  fiscal  year  1983-84,  center 
development  staff  completed  five  development  projects.  Another 
nine  development  projects  are  currently  in  progress.  Payroll 
electronic  funds  transfer,  student  preregistration,  and  general 
purchasing  are  examples  of  recently  developed  applications  or 
applications  that  are  currently  in  progress. 

Software  Application   Development   Process 

The  software  application  development  process  should  include 
reasonable  controls  to  ensure  that  application  development  re- 
sources are  efficiently  and  effectively  used  and  the  application 
processes  information  according  to  specifications.  During  our 
review  we  noted  areas  where  the  Computer  Center's  software 
application   development  process  could   be  improved. 

1.  Cost/Benefit  Analysis  -  The  Computer  Center  conducts 
limited  cost/benefit  analysis  for  software  applications 
they  develop.  Currently  UofM  has  a  much  greater 
demand  for  computer  and  application  development  re- 
sources than  can  be  met.  Without  comparison  of  costs 
and  benefits,  university  officials  may  not  be  allocating 
these  resources  efficiently  and  effectively. 

2.  Formal  Post-Implementation  Review  -  Computer  Center 
officials  do  not  conduct  formal  reviews  of  software  appli- 
cations developed  by  the  center  after  the  applications 
have  been  implemented  by  the  user  departments.  Without 
a  post-implementation  review,  problems  with  applications 
may  be  treated  as  isolated  instances  and  the  real  cause 
of  the  problems  may  not  be  determined.  The  post-imple- 
mentation review  may  help  university  management  to 
determine  how  actual  benefits  and  costs  compare  to 
estimates,  if  the  application  performs  as  envisioned,  and 
if  adequate  controls  are  in   place  and   functioning. 

3.  Formal  Approval  by  User  Management  -  User  management 
informally  approves  each  phase  in  the  development 
process,  but  there  is  no  formal  written  approval  of 
various   phases  during   the  development   process.      Without 
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formal  prior  approval  of  each  phase  of  the  software 
application  development  process  there  is  a  possibility 
that  a  software  application  could  be  completely  devel- 
oped, and  the  user  not  be  satisfied.  As  a  result,  the 
user  may  have  to  request  changes  which  should  have 
been  made  when   the  application   was  being  developed. 

4.  Formal  Software  Application  Conversion  Standards  and 
Plans  -  No  formal  conversion  standards  or  plans  exist. 
The  conversion  plans  would  help  assure  that  software 
applications  are  converted  consistently,  accurately,  and 
completely. 

5.  Testing  Practices  and  Procedures  -  The  Computer  Center 
should  improve  standards  for  testing  completed  programs 
and  applications.  With  improved  testing  standards  there 
is  more  assurance  that  software  applications  are  consis- 
tently and  adequately  tested. 

Final  acceptance  tests  are  not  conducted  for  software 
applications  developed  by  the  Computer  Center  staff.  If 
a  final  acceptance  test  is  not  done,  there  is  a  possibility 
that  an  application  may  not  work  and  deficiencies  may 
not  be  noted  until  the  application   is  implemented. 

The  Computer  Center  should  develop  policies  and  procedures 
to  ensure  that  adequate  cost/benefit  analysis,  post-implementation 
review,  formal  approval,  conversion  planning,  and  testing  of 
software  applications  are  conducted. 

RECOMMENDATION  #6 

WE  RECOMMEND  THE  COMPUTER  CENTER  IMPROVE  SOFT- 
WARE DEVELOPMENT  POLICIES  AND  PROCEDURES. 


External   Software  Development 

A  limited  number  of  computer  software  applications  are  devel- 
oped by  the  Computer  Center.  The  remaining  requested  applica- 
tions are  either  not  developed,  or  are  developed  outside  the  Com- 
puter Center  at  the  expense  of  the  requesting  department.  Some 
campus  departments  utilize  private  consultants  or  computer  science 
students  to  develop  software  applications  because  the  applications 
they  wish  to  develop  are  not  given  high  priority  by  the  univer- 
sity. 
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In  our  EDP  audit  work  we  noted  an  example  where  computer 
science  students  developed  a  software  application  for  a  campus 
department  which  was  never  implemented.  The  Computer  Center 
director  did  not  authorize  allocation  of  computer  space  to  run  the 
application  because  Computer  Center  officials  believe  the  applica- 
tion was  designed  in  such  a  manner  that  it  could  not  be  imple- 
mented. University  resources  were  expended,  yet  the  application 
was  not  implemented. 

Currently,  software  applications  developed  for  campus  depart- 
ments by  private  consultants  and  computer  science  students  are 
not  coordinated  with  the  Computer  Center.  Without  coordination  of 
software  applications  being  developed  on  campus,  the  Computer 
Center  cannot  effectively  manage  available  hardware  capacity.  In 
addition,  there  is  no  assurance  that  software  applications  are  not 
being   unnecessarily  duplicated  on  campus. 

The  university  should  develop  policies  and  procedures  that 
ensure  that  all  mainframe  software  application  development  work  is 
coordinated   with   the   Computer   Center. 

RECOMMENDATION    #7 

WE    RECOMMEND     UofM    ADOPT     POLICIES    AND    PROCEDURES 
SO   THAT  ALL  MAINFRAME   SOFTWARE  APPLICATION    DEVELOP- 
MENT   WORK     IS    COORDINATED    WITH    THE    COMPUTER    CEN- 
TER. 


SOFTWARE   APPLICATION   MAINTENANCE 

During  the  audit  we  examined  the  software  application  mainte- 
nance process  and  related  maintenance  controls.  The  software 
application  maintenance  process  should  provide  assurance  that 
application  maintenance  is  performed  completely  and  accurately. 
We  noted  two  areas  where  the  maintenance  process  could  be  im- 
proved. These  areas  include  better  project  documentation  and 
project  review. 

1.        Project      Documentation   -      During      our      field      work,      we 
reviewed    a    sample    of   20    software    maintenance    requests. 
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We  found  little  documentation  concerning  who  requested 
the  change,  what  type  of  software  application  was  being 
changed,  or  what  tests  were  performed  before  the  change 
was  implemented.  We  also  noted  some  examples  where 
supporting  documentation  for  software  applications  was 
not  regularly  updated.  To  ensure  that  there  are  admin- 
istrative procedures  for  review  of  all  phases  of  software 
maintenance  projects,  as  well  as  to  adequately  control 
each,  all  requested  changes  should  be  supported  by  a 
formal  maintenance  request. 

2.  Project  Review  -  During  our  review  we  also  found  that 
there  is  little  formal  review  of  software  maintenance 
projects  by  supervisory  personnel.  A  request  is  normally 
given  to  a  programmer  who  not  only  makes  the  change 
but  also  tests  and  implements  it.  To  reduce  the  possi- 
bilities of  errors  occurring  in  these  changes,  as  well  as 
assuring  the  work  is  performed  completely  and  standards 
are  followed,  an  independent  or  supervisory  review 
should  be  performed  periodically  on  software  maintenance 
projects. 

The  Computer  Center  should  develop  policies  and  procedures 
to  ensure  that  application  maintenance  projects  are  adequately 
documented  and   reviewed. 


RECOMMENDATION  #8 

WE  RECOMMEND  THE  COMPUTER  CENTER  IMPROVE  SOFT- 
WARE MAINTENANCE  POLICIES  AND  PROCEDURES. 
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CHAPTER  V 

COMPUTER   RESOURCES,    DECSYSTEM  MIGRATION,    AND    FUNDING 

At  the  beginning  of  the  audit,  UofM  officials  indicated  current 
data  processing  capacity  of  the  DECSYSTFM-2065  was  not  adequate 
to  meet  the  needs  of  the  university.  Limited  logon  access  and 
slow  system  response  were  the  major  problems  noted  by  UofM 
officials.  During  our  field  work,  we  examined  the  processing 
capacity  of  UofM's  major  computer  system,  the  DECSYSTEM-2065. 
The  next  three  sections  discuss  the  demand  for  Computer  Center- 
resources,  the  DECSYSTEM  migration  and  computer  funding  at 
UofM. 

DEMAND    FOR   COMPUTER   RESOURCES 

Our  own  observation  of  UofM  computer  systems  over  a  period 
of  about  two  months  confirmed  that  data  processing  users  were 
experiencing  problems  with  logon  access  and  slow  system  response. 
We  contacted  eleven  users  from  four  administrative  offices  to 
determine  if  they  have  had  problems  logging  on  to  the  DECSYSTEM- 
2065  or  with  system  response.  All  administrative  users  that  we 
contacted  indicated  that  they  routinely  experience  some  kind  of 
access  or  response  problems  when  using  the  DECSYSTEM-2065. 
For  example,  one  user  conducted  a  five-day  time  study  and  found 
that  it  took  7£   hours  of  queue  time  to  process  2\   hours  of  work. 

Computer  Center  officials  indicated  that  recently  developed  or 
planned  software  applications  will  require  additional  capacity  to 
operate  as  originally  designed.  For  example,  the  Physical  Plant's 
Central  Stores  Inventory  aplication  currently  being  developed  by 
the  Computer  Center  is  primarily  an  on-line,  interactive  application 
which  requires  good  accessibility  and  response  time  from  the 
DECSYSTEM-2065.  The  university  has  also  decided  to  develop  or 
buy  a  Purchasing/ Payables  application  which  is  also  an  on-line, 
interactive  application. 

According  to  Computer  Center  officials,  present  university 
data    processing    hardware   will    not   facilitate   the   satisfactory   use   of 
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additional  on-line,  interactive  applications  such  as  Central  Stores 
Inventory  and  a  new  Purchasing/ Payables  application.  Based  on 
our  observation  of  current  processing  problems  and  the  resource 
requirements  of  on-line,  interactive  applications,  we  concur  with 
this  conclusion.  As  a  result,  the  university  is  expending  re- 
sources to  develop  or  acquire  applications  for  which  the  university 
currently   lacks  capacity  to  run  effectively. 

Recent  efforts  to  move  some  DECSYSTEA7I-2065  users  to  the 
DECSYSTEM-2020s  and  the  VAX  11/785  and  recent  upgrades  of  the 
DECSYSTEM-2065  have  had  limited  effect  on  the  current  hardware 
capacity  problem. 

In  planning  for  the  upcoming  biennium,  the  university  identi- 
fied 70  requests  by  campus  departments  for  software  applications. 
Due  to  current  hardware  capacity  and  Computer  Center  develop- 
ment staff  limitations,  only  five  to  ten  of  these  requests  can  be 
completed  each  year.  While  the  cost/benefit  of  each  request  has 
not  been  explored  by  the  university,  the  magnitude  of  the  requests 
in  relation  to  those  which  can  be  completed  indicates  a  large 
degree  of  unmet  demand.  This  was  further  reinforced  when  we 
noted  that  some  departments  were  contracting  with  outside  parties 
to  develop  applications. 

Another  area  where  demand  is  high  is  Computer  Center  User 
Services.  User  Services  provides  a  variety  of  training  classes  to 
users  of  UofM  computer  systems.  Classes  range  from  an  introduc- 
tion to  UofM  computer  facilities  and  organization  to  more  technical 
areas  such  as  electronic  mail  and  computer  graphics. 

Over  the  past  two  years  User  Services  has  had  to  turn  away 
approximately  20  percent  of  all  persons  interested  in  taking  the 
classes  they  offer.  This  compounded  with  the  increased  variety 
and  complexity  of  computer  hardware  and  software  being  used  adds 
to  the  number  of  uninformed  users.  Those  interested  in  gaining  a 
better  understanding  of  computing  methods  and  techniques  are  not 
able  to.  As  a  result,  users  may  be  spending  their  time  ineffec- 
tively using  the  computer  and  may  not  be  using  computer  capacity 
effectively  due  to  lack  of  knowledge. 
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DECSYSTEM  MIGRATION 

In  mid-1983,  DEC  announced  that  it  was  discontinuing  pro- 
duction of  the  DECSYSTEM  20  series  computers.  At  that  time, 
DEC  said  that  it  would  support  the  20  series  software  for  at  least 
five  years  and  the  hardware  for  up  to  ten   years. 

As  support  for  DECSYSTEM  20  computers  diminishes,  hard- 
ware maintenance  rates  may  rise  making  it  economically  unattractive 
to  keep  the  20  series  computers,  and  support  for  the  DECSYSTEM 
operating  system  may  degrade  causing  more  work  for  UofM's  soft- 
ware specialists. 

UofM  has  some  options  for  migration  of  its  data  processing 
activities  including: 

-  DEC's  VAX   line  of  super  minicomputers. 

-  A  successor  to  the  DEC  20  series  computers  under  develop- 
ment by  a  private  firm  in  cooperation  with  Stanford  Univer- 
sity. 

The  use  of  VAX  super  minicomputers  for  university  research 
and  instruction  and  the  use  of  some  other  hardware  for  the 
university  administration. 

Any  of  these  alternatives  could  work  for  UofM  but  each  would 
require  a  significant  appropriation  to  implement  successfully. 
Another  complicating  factor  is  that  UofM  should  start  the  migration 
this  biennium  to  allow  for  a  controlled  transfer  and  to  prevent  a 
large   future  outlay  of  funds. 

FUNDING 

Excluding  auxiliary  departments,  off-campus  accounts  and 
grant  and  contract  work,  the  Computer  Center  is  not  directly 
reimbursed  for  the  computer  services  it  provides.  As  previously 
noted,  in  fiscal  year  1983-84  approximately  $40,000  of  $1.26  million 
in  computer  services  provided  were  directly  reimbursed.  These 
users  are  not  funded  by  the  state  General  Fund  and  depend  upon 
other   funding   sources   for  their  operations. 

The  Computer  Center  has  developed  billing  rates  for  actual 
computer    use,     software    application     development,     and     production 
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services.  Individual  departments  are  allocated  funds  for  these 
three  areas.  Within  the  administrative  computer  fund,  expended 
amounts  can  exceed  original  department  allocations  in  specific  areas 
and  also  exceed  the  total  amount  allocated  to  the  department.  If  a 
department  expends  more  than  its  allocation,  the  overexpense  will 
be  absorbed  within  the  fund  by  another  department  that  did  not 
expend  all  of  its  allocation.  Because  of  the  administrative  com- 
puter fund  arrangement,  campus  departments  are  not  being  directly 
charged  for  computer  services. 

We  reviewed  Computer  Center  billing  records  for  fiscal  year 
1983-84  and  found  that  some  departments  which  have  funding 
sources  other  than  the  state  General  Fund  are  not  being  directly 
charged  for  computer  services  provided  by  the  Computer  Center. 
These  services  are  being  charged  against  the  administrative  com- 
puter fund  which  is  General  Fund  money.  For  example,  the 
Alumni/UofM  Foundation  used  about  $144,200  of  computer  services 
provided  by  the  Computer  Center  during  fiscal  year   1983-84. 

We  believe  that  entities  which  have  outside  sources  of  funding 
should  directly  pay  for  any  services  provided  by  UofM.  The 
Foundation  and  Alumni  Office  are  separate  entities  from  the  univer- 
sity and  as  such  should  not  receive  funding  support  from  the 
university. 

SUMMARY 

During  our  review,  we  noted  that  UofM  projected  demand  for 
data  processing  cannot  be  met  with  current  resources.  In  addi- 
tion, UofM  will  need  to  migrate  from  the  DECSYSTEM  20  series 
computers. 

The  current  Computer  Center  budget  is  not  sufficient  to 
begin  the  migration  or  provide  additional  data  processing  re- 
sources. UofM  will  have  to  explore  other  funding  sources  to  meet 
data  processing  demands.  The  university  may  acquire  additional 
funds  for  data  processing  by  charging  more  users  or  reallocating 
administrative  funds. 

UofM's  five-year  plan  for  computing  identifies  unmet  computing 
requests    at    UofM.      The    plan    does    not    include    a    current    detailed 
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analysis  of  present  and  future  computing  use.  The  analysis 
should  include  such  information  as  types  of  users,  the  resources 
required  by  the  types  of  users,   and  the  time  of  day  of  use. 

With  more  detailed  information  on  computing  resource  uses  and 
requests,  university  officials  can  better  determine  the  amount  and 
type  of  computing  resources  needed.  Then,  UofM  officials  can 
conduct  more  detailed  capacity  planning  than  is  currently  available 
and  can  better  evaluate  which  demands  are  cost  justifiable. 

RECOMMENDATION    #9 
WE   RECOMMEND   UofM: 

A.  DOCUMENT    COMPUTING    RESOURCE    DEMANDS    IN    MORE 
DETAIL. 

B.  CONDUCT    MORE    DETAILED    CAPACITY    PLANNING    AND 
EVALUATE  WHICH    DEMANDS   ARE   COST   JUSTIFIABLE. 
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AGENCY    RESPONSE 


(^University 
>*/  of  Montana 


Vice  President  for  Fiscal  Affairs     •    Missoula,  Montana  59812     •    (406)  243-2311 


March  11,    1985 


Mr.   Richard  Varner  RFP,Fi\/Fn 

EOP  Audit   Supervisor  ' l"   -•/j-t  v  !—  i-* 

Office  of  the  Legislative  Auditor  |\,]AR  ]  1  13S5 

Room  135 

St  ate  Cap  i  to  1    Bu  i  1  di  nq  MONTANA  LEGISLATIVE  AUOITDR 

Helena,    MT     59620 

Hear  L'ick: 

Marrh  1f teiru«?r0Vipf  the  UnJversity,s  response  to  the  EDP  Audit  Report  dated 
March  4,  1985.  Please  contact  either  Steve  Henry  or  myself  if  you  have  any 
questions  or  comments  prior  to  our  meeting  with  the  Legislative  Audit  Committee. 

Regarding  that  meeting,  please  recognize  that  the  University  administration  has 
many  commitments  during  the  Legislative  Session  which  may  conflict  with  poten- 
tial meeting  dates  or  times.  I  would  appreciate  discussinq  the  date  for  the 
committee  review  as  soon  as  possible  so  that  we  may  avoid  conflict. 

Best,  regards, 

Glen  I.  Williams 
Vice  President  for 
Fiscal  Affairs 

biW:bd 

cc:  Steve  henry,  Computer  tenter 

Sylvia  Weisenberger,  Internal  Audit 
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LEGISLATIVE  EDP  AUDIT  REPORT  FOR  THE  UNIVERSITY  OF  MONTANA 

UNIVERSITY  OF  MONTANA  RESPONSE 

March  11,  1985 


Chapter  I   —  Introduction 

The  University  finds  no  factual  inaccuracies  in  Chapter  1  of  the  EDP  Audit 
Report.  The  University  prefers  not  to  address  at  this  time  any  of  the 
management  memoranda  listed  in  Chapter  1. 

Chapter  I_I  --  Background 

The  University  finds  no  factual  inaccuracies  in  Chapter  2  of  the  EDP  Audit 
Report.  Regarding  microcomputer  policies  discussed  on  pages  7  and  8  of  the 
EDP  Audit  Report,  we  wish  to  note  that  the  University  presently  is  developing 
policies  concerning  the  use  of  microcomputers  for  administrative  applications 
(including  the  development  of  custom  software)  and  the  acquisition  and  use  of 
vendor  software. 


Chapter  III  --  Computer  Center  Facility 

The  University  finds  no  factual  inaccuracies  in  Chapter  3  of  the  EDP  Audit 
Report. 

RECOMMENDATION  #1  --  Maintenance  Contracts 

"WE  RECOMMEND  UofM  CONCLUDE  A  FORMAL  WRITTEN  MAINTENANCE  AGREEMENT  COVERING 
ALL  MAJOR  COMPUTER  HARDWARE." 

The  University  concurs  with  the  recommendation. 

We  wish  to  note,  however,  that  the  University  has  had  continuous  contracted 
maintenance  coverage  for  its  major  computer  hardware  since  1972,  and  in  fact 
such  a  contract  presently  is  in  force  for  equipment  on  site  as  of  July  1, 
1984.  Since  August,  1984,  the  University  and  Digital  Equipment  Corporation 
(DEC)  have  been  negotiating  an  extension  to  the  present  agreement,  which  will 
cover  all  of  the  University's  major  equipment,  including  that  acquired  since 
July  1,  1984.  That  extension  will  result  in  a  comprehensive  agreement  for 
Fiscal  1984-85  which  will  provide  coverage  retroactive  to  July  1,  1984,  for 
approximately  the  same  cost  as  the  present  contract  coverage.  The  negotiation 
has  been  complex  because  the  amount  of  equipment  acquired  by  the  University 
over  the  past  several  months  resulted  in  frequent  changes  to  the  equipment 
configuration  and  the  effective  dates  of  maintenance  coverage.  The  process 
currently  is  now  virtually  complete,  however. 
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During  this  period,  only  the  DECSYSTEM-2020  acquired  from  Eastern  Montana 
College  has  not  been  formally  protected;  the  newly  acquired  VAX-11/785  has 
been  under  warranty  protection.  Also,  the  University  has  an  interim  agreement 
with  DEC  to  provide  coverage  for  all  of  the  University's  major  computer 
equipment,  including  the  EMC  DECSYSTEM-2020.  In  fact,  substantial  work  has 
been  performed  under  that  agreement  when  required,  on  each  of  the  University's 
major  computer  systems. 

RECOMMENDATION  #2  —  Power  Protection  System 

"WE  RECOMMEND  UofM  ANALYZE  THEIR  NEEDS  AND  PURCHASE  A  POWER  PROTECTION  SYSTEM 
FOR  THE  COMPUTER  CENTER." 

The  University  concurs  with  the  recommendation. 

We  will  study  the  appropriate  type  of  power  protection  system,  to  be  purchased 
when  funding  permits. 

RECOMMENDATION  #3  —  Adequacy  of  Facility  Space 

"WE  RECOMMEND  UofM  EXAMINE  ALTERNATIVE  LOCATIONS  FOR  THE  COMPUTER  FACILITY." 

The  University  concurs  with  the  recommendation. 

The  University  has  long  been  aware  of  the  problem  inherent  in  the  present 
Computer  Center  location.  However,  the  University's  overall  space  needs  and 
its  general  lack  of  available  space  provide  few  alternatives  for  relocating 
the  Computer  Center,  other  than  new  construction.  We  will  reexamine  existing 
alternatives. 

RECOMMENDATION  #4  —  Disaster  Recovery  Policy  Issues 

"WE  RECOMMEND  UofM  FORMALIZE  ITS  MUTUAL  BACKUP  AGREEMENT  WITH  EMC." 

The  University  concurs  with  the  recommendation. 

We  will  pursue  a  memorandum  of  understanding  as  suggested  in  the  EDP  Audit 
Report. 

RECOMMENDATION  #5  --  Disaster  Recovery  Plan 

"WE  RECOMMEND  THE  COMPUTER  CENTER: 

A.  FORMALIZE  ITS  DISASTER  RECOVERY  PLAN. 

B.  COMMUNICATE  THE  REQUIRED  TASKS  TO  THE  STAFF. 

C.  CONDUCT  PERIODIC  DISASTER  RECOVERY  EXERCISES." 

The  University  concurs  with  the  recommendation. 

We  will  formalize  our  disaster  recovery  plan  and  procedures  as  suggested  in 
the  EDP  Audit  Report. 


31 


Page  3 


Chapter  W  —  Software  Application  Development  and  Maintenance 


The  University  finds  no  factual  inaccuracies  in  Chapter  4  of  the  EDP  Audit 
Report. 

RECOMMENDATION  #6  —  Software  Application  Development  Process 

"WE  RECOMMEND  THE  COMPUTER  CENTER  IMPROVE  SOFTWARE  DEVELOPMENT  POLICIES  AND 
PROCEDURES." 

The  University  concurs  with  the  recommendation. 

However,  we  wish  to  note  the  following  points: 

1.  Cost/Benefit  Analysis  -  The  University  recognizes  the  value  of 
cost/benefit  analysis  for  software  applications.  However,  the  number  of 
requested  development  projects  is  quite  large  relative  to  the  size  of 
the  development  staff  (page  25  of  the  EDP  Audit  Report  notes  that  70 
requests  were  identified  for  the  upcoming  biennium;  the  development 
staff  consists  of  14  people).  This  precludes  performing  detailed 
cost/benefit  analyses  for  all  requested  projects  prior  to  administrative 
evaluation.  Instead,  cost/benefit  estimates  are  used  for  administrative 
review.  Detailed  cost/benefit  analyses  are  included  in  the  initial 
development  phase  of  approved  projects,  to  ensure  that  development  of 
cost-ineffective  applications  or  features  is  not  undertaken. 

2.  Formal  Post-Implementation  Review  -  We  agree. 

3.  Formal  Approval  by  User  Management  -  We  agree. 

4.  Formal  Software  Application  Conversion  Standards  and  Plans  -  We 
understand  software  application  conversion  requirements  and 
considerations,  but  conversion  situations  have  arisen  so  seldom,  and 
have  been  so  unique  in  circumstance  (the  conversion  of  the  University's 
former  accounting  system  to  SBAS,  for  example)  that  we  have  chosen  to 
handle  the  requirements  of  such  conversions  on  a  case  by  case  basis. 

5.  Testing  Standards  and  Practices  -  We  believe  that,  in  general, 
application  software  is  thoroughly  and  adequately  tested.  However,  we 
will  work  to  establish  uniform  testing  standards  to  ensure  that  testing 
procedures  are  uniform  for  all  applications,  the  the  extent  practical. 
We  agree  with  the  recommendation  regarding  final  acceptance  testing. 

RECOMMENDATION  #7  —  External  Software  Development 

"WE  RECOMMEND  UofM  ADOPT  POLICIES  AND  PROCEDURES  SO  THAT  ALL  MAINFRAME 
SOFTWARE  APPLICATION  DEVELOPMENT  WORK  IS  COORDINATED  WITH  THE  COMPUTER 
CENTER." 

The  University  concurs  with  the  recommendation. 
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We  note,  however,  that  we  are  concerned  not  only  with  external  development  of 
mainframe  software  applications,  but  with  microcomputer  software  applications 
also.  We  are  working  to  develop  policies  and  procedures  which  apply  to  aJM 
external  software  application  development. 

RECOMMENDATION  #8  —  Software  Application  Maintenance 

"WE  RECOMMEND  THE  COMPUTER  CENTER  IMPROVE  SOFTWARE  MAINTENANCE  POLICIES  AND 
PROCEDURES." 

The  University  concurs  with  the  recommendation. 

However,  we  wish  to  note  the  following  points: 

1.  Project  Documentation  -  Existing  policy  requires  that  adequate 
documentation  be  maintained  concerning  requested  changes,  including  the 
application  being  changed,  the  type  of  change,  the  specific  description 
of  the  change,  and  any  pertinent  analyst  or  programmer  documentation 
concerning  changes  made,  and  so-called  "FILCOMs"  (automated  "before  and 
after"  program  source  comparisons).  Existing  policy  also  requires  that 
supporting  application  documentation  be  kept  current.  To  the  extent 
that  this  information  is  not  being  maintained  or  kept  current,  it  is 
contrary  to  existing  policy.  We  agree  that  a  formal  change  request 
mechanism  is  needed,  and  we  will  review  the  overall  policy  for  adequacy. 
Also,  we  will  investigate  adherence  to  the  present  policy. 

2.  Project  Review  -  Existing  policy  requires  that  the  systems  analyst  who 
assigns  a  software  maintenance  project  initial  his/her  final  approval  on 
the  project  assignment  checkoff  list,  indicating  that  supervisory  review 
of  the  completed  project  has  occurred.  We  will  investigate  the  issue  of 
supervisory  review  of  software  maintenance  projects  to  determine  its 
adequacy  and  adherence  to  existing  policy  and  procedures. 

Chapter  V  —  Computer  Resources,  DECSYSTEM  Migration,  and  Funding 

The  University  finds  no  factual  inaccuracies  in  Chapter  5  of  the  EDP  Audit 
Report. 

RECOMMENDATION  #9  —  Resource  Demands  and  Capacity  Planning 

"WE  RECOMMEND  UofM: 

A.  DOCUMENT  COMPUTING  RESOURCE  DEMANDS  IN  MORE  DETAIL. 

B.  CONDUCT  MORE  DETAILED  CAPACITY  PLANNING  AND  EVALUATE  WHICH  DEMANDS  ARE 
COST  JUSTIFIABLE." 

The  University  concurs  with  the  recommendation. 

We  wish  to  note  that  a  detailed  analysis  of  required  capacity  was  not  included 
in  the  University's  five-year  plan  for  computing  because  the  purpose  of  the 
plan  is  to  identify  areas  of  unmet  need,  to  indicate  types  (rather  than 
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precise  quantity)  of  required  resources,  and  to  explain  why  such  resources  are 
necessary  to  meet  the  needs  identified.  An  analysis  of  usage  trends  over  the 
past  five  years  is  summarized  in  the  plan,  however,  and  serves  as  the  basis 
for  projected  needs. 

During  the  course  of  the  audit,  we  provided  samples  of  capacity  analyses  which 
we  previously  conducted,  which  included  information  about  types  of  use,  types 
of  users,  specific  resources  used,  times  of  day  and  academic  quarter  when  uses 
occurred,  etc.,  such  as  is  suggested  in  the  EDP  audit  report.  We  agree  that 
this  information  must  be  updated  before  the  replacement  of  the  DECSYSTEM-20s 
can  be  accomplished. 

Usage  data  are  quite  volatile,  because  needs  and  demands  change  rapidly, 
because  capacity  constraints  influence  usage  patterns  dramatically,  and 
because  the  impact  of  changing  resources  (e.g.,  the  addition  of  a  second 
DECSYSTEM-2020  and  the  VAX-11/785)  requires  time  to  be  felt,  to  stabilize,  and 
to  be  analysed.  A  significant  addition  of  new  resources  invalidates  any 
previous  analysis  of  capacity  requirements,  and  no  meaningful  analysis  can  be 
performed  until  equipment  capacity  and  configuration  has  been  stable  for  a 
period  of  time. 

We  will  perform  a  detailed  capacity  analysis  during  the  coming  months,  as 
computer  resources  and  usage  patterns  stabilize.  Also,  we  are  continuing  an 
analysis  of  long-range  administrative  application  needs,  including  capacity 
requirements.  We  expect  to  utilize  this  information  as  part  of  our  capacity 
planning  efforts. 
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